ID-based Restrictive Partially Blind Signatures
and Applications
Xiaofeng Chen1
, Fangguo Zhang1
, and Shengli Liu2 1
Department of Computer Science,
Sun Yat-sen University, Guangzhou 510275, P.R.China [email protected]
2
Department of Electronics and Communication Engineering, Sun Yat-sen University, Guangzhou 510275, P.R.China
Department of Computer Science,
Shanghai Jiao Tong University, Shanghai 200030, P.R.China [email protected]
Abstract. Restrictive blind signatures allow a recipient to receive a blind signature on a message not known to the signer but the choice of message is restricted and must conform to certain rules. Partially blind signatures allow a signer to explicitly include necessary in-formation (expiration date, collateral conditions, or whatever) in the resulting signatures under some agreement with receiver. Restrictive partially blind signatures incorporate the advantages of these two blind signatures. The existing restrictive partially blind signature scheme was constructed under certificate-based (CA-based) public key systems. In this pa-per we follow Brand’s construction to propose the first identity-based (ID-based) restrictive blind signature scheme from bilinear pairings. Furthermore, we first propose an ID-based restrictive partially blind signature scheme, which is provably secure in the random oracle model. As an application, we use the proposed signature scheme to build an untraceable off-line electronic cash system followed Brand’s construction.
Key words: ID-based systems, Blind signatures, Bilinear pairings.
1
Introduction
Blind signatures, introduced by Chaum [10], allow a recipient to obtain a signature on messagem without revealing anything about the message to the signer. Blind signatures play an important role in a plenty of applications such as electronic voting, electronic cash schemes where anonymity is of great concern. About the formal definition and security of blind signature schemes, refer to [14, 16–18].
Restrictive blind signatures, firstly introduced by Brands [5, 6], which allow a recipient to receive a blind signature on a message not known to the signer but the choice of the message is restricted and must conform to certain rules. Furthermore, he proposed a highly efficient electronic cash system, where the bank ensures that the user is restricted to embed his identity in the resulting blind signature.
explicitly includes common agreed information which remains clearly visible despite the blinding process. This notion overcomes some disadvantages of fully blind signatures such as the signer has no control over the attributes except for those bound by the public key. Partially blind signatures play an important role in designing efficient electronic cash systems. For example, the bank does not require different public keys for different coins values. On the other hand, the size of the database that stored the previously spent coins to detect double-spending would not increase infinitely over time.
Maitland and Boyd [15] first incorporated these two blind signatures and proposed a prov-ably secure restrictive partially blind signature scheme, which satisfies the partial blindness and restrictive blindness. Their scheme followed the construction proposed by Abe and Okamoto [2] and used Brand’s restrictive blind signature scheme. However, their scheme was constructed un-der the CA-based public key systems. There seems no such schemes unun-der the ID-based public key systems to the best of our knowledge.
The concept of ID-based public key systems, proposed by Shamir in 1984 [19], allows a user to use his identity as the public key. It can simplify key management procedure compared to CA-based systems, so it can be an alternative for CA-CA-based public key systems in some occasions, especially when efficient key management and moderate security are required. Many ID-based schemes have been proposed after the initial work of Shamir, but most of them are impractical due to low efficiency. Recently, the bilinear pairings have been found various applications in cryptography, more precisely, they can be used to construct ID-based cryptographic schemes [3, 4, 13, 20].
Recently, Chowet al first presented an ID-based partially blind signature scheme [12]. In this paper, we utilize their scheme to propose an ID-based restrictive partially blind signature scheme from bilinear pairings. Our contribution is two folds:
1. We first propose an ID-based restrictive blind signature scheme using the ID-based knowledge proof for the equality of two discrete logarithms from bilinear pairings.
2. We first introduce the notion of ID-based restrictive partially blind signatures and propose a concrete signature scheme from bilinear pairings. Furthermore, we give a formal proof of security for the proposed scheme in the random oracle model.
The rest of the paper is organized as follows: Some preliminaries are given in Section 2. The definitions associated with ID-based restrictive partially blind signatures are introduced in Section 3. Two building blocks of ID-based restrictive partially blind signatures are given in Section 4. The proposed restrictive partially blind signature scheme and its security analysis are given in Section 5. Finally, conclusions will be made in Section 6.
2
Preliminaries
In this section, we will briefly describe the basic definition and properties of bilinear pairings and gap Diffie-Hellman group. We also introduce ID-based public key setting and a knowledge proof for the equality of two discrete logarithms from bilinear pairings.
2.1 Bilinear Pairings
Let G1 be a cyclic additive group generated by P, whose order is a prime q, and G2 be a cyclic multiplicative group of the same order q. Let a, b be elements of Z∗
the discrete logarithm problem (DLP) in bothG1 andG2 are hard. A bilinear pairing is a map e:G1×G1→G2 with the following properties:
1. Bilinear:e(aP, bQ) =e(P, Q)ab;
2. Non-degenerate: There existsP andQ∈G1 such thate(P, Q)6= 1;
3. Computable: There is an efficient algorithm to computee(P, Q) for allP, Q∈G1.
2.2 Gap Diffie-Hellman Group
LetGbe a cyclic multiplicative group generated byg, whose order is a primeq, assume that the inversion and multiplication inG can be computed efficiently. We first introduce the following problems inG.
1. Discrete Logarithm Problem (DLP): Given two elementsgandh, to find an integern∈Z∗
q, such thath=gn whenever such an integer exists.
2. Computation Diffie-Hellman Problem (CDHP): Giveng, ga, gbfora, b∈Z∗
q,to computegab. 3. Decision Diffie-Hellman Problem (DDHP): Given g, ga, gb, gc for a, b, c ∈ Z∗
q, to decide whetherc≡abmodq.
We callGa gap Diffie-Hellman group if DDHP can be solved in polynomial time but there is no polynomial time algorithm to solve CDHP with non-negligible probability. Such groups can be found in supersingular elliptic curve or hyperelliptic curve over finite field, and the bilinear pairings can be derived from the Weil or Tate pairings. For more details, see [3, 9, 13].
Throughout the rest of this paper we defineG1be a gap Diffie-Hellman group of prime orderq, G2 be a cyclic multiplicative group of the same orderqand a bilinear pairinge:G1×G1→G2. Define four cryptographic secure hash functions H : {0,1}∗
→ G1, H1 : G2 4
→ Zq, H2 : {0,1}∗
×G1→Zq andH3:G1 2
×G2 4
→Zq.
2.3 ID-based Setting from Bilinear Pairings
The ID-based public key systems allow some public information of the user such as name, address and emailetc., rather than an arbitrary string to be used his public key. The private key of the user is calculated by PKG and sent to the user via a secure channel.
ID-based public key setting from bilinear pairings can be implemented as follows:
– Setup: PKG chooses a random number s ∈ Z∗
q and set Ppub = sP. The center publishes system parametersparams={G1, G2, e, q, P, Ppub, H},and keepsas themaster-key, which is known only himself.
– Extract:A user submits his/her identity informationIDto PKG. PKG computes the user’s
public key asQID=H(ID),and returnsSID=sQID to the user as his/her private key.
2.4 ID-based Knowledge Proof for the Equality of Two Discrete Logarithm from
Bilinear Pairings
protocol to solve this problem. Motivated by this idea, Baek and Zheng [7, 8] construct a new ID-based knowledge proof for the equality of two discrete logarithms from bilinear pairings.
Define g = e(P, QID), u = e(Ppub, QID), h = e(L, QID) and v = e(L, SID), where P and L are independent points of G1. The following protocol presents a knowledge proof of that loggu= loghv. An interesting property of this proof is that even the prover does not know the discrete logarithm loggu = loghv (just be convinced that it equals to the master-keys of the PKG), which is different from the previous protocols. With the notation of [4],< g, h, u, v >is called a Diffie-Hellman tuple.
– The prover randomly chooses an elementQ in G1 and computes a=e(P, Q), b =e(L, Q). The prover sends (a, b) to the verifier.
– The verifier randomly chooses an integerc∈Zq and sends cto the prover.
– The prover computesS=Q+cSID and sendsS to the verifier.
– The verifier checks whether e(P, S) = auc and e(L, S) = bvc. If both the equations hold, returns “accept”; else, returns “reject”.
3
Definitions
Abe and Okamoto first present the formal definition of partially blind signatures. Restrictive partially blind signatures can be regarded as partially blind signatures which also satisfies the property of restrictiveness. In the context of partially blind signatures, the signer and user are assumed to agree on a piece of information, denoted byinfo. In real applications,info may be decided by the negotiation between the signer and user. For the sake of simplicity, we omit this negotiation throughout this paper. In the following, we follow the definitions of [2, 14, 5, 12] to give a formal definition of ID-based restrictive partially blind signatures.
Definition 1. (ID-based Restrictive Partially Blind Signatures) An ID-based restrictive partially
blind signature scheme is a four-tuple(PG,KG,SG,SV).
– System Parameters GenerationPG:On input a security parameterk, outputs the
com-mon system parameters Params.
– Key GenerationKG:On inputParamsand an identity informationID, outputs the private
keysk=SID.
– Signature Generation SG: Let U and S be two probabilistic interactive Turing machines
and each of them has a public input tape, a private random tape, a private work tape, a private output tape, a public output tape, and input and output communication tapes. The random tape and the input tapes are read-only, and the output tapes are write-only. The private work tape is read-write. Suppose infois agreed common information between U and S. The public input tape of U contains ID and info. The public input tape of S contains info. The private input tape of S containssk, and that forU contains a message mwhich he knows a representation with respect to some bases inParams. The lengths ofinfoandm
are polynomial tok.U andSengage in the signature issuing protocol and stop in polynomial-time. When they stop, the public output of S contains either completed or not-completed. If it is completed, the private output tape of U contains either ⊥or(info, m, σ).
Definition 2. (Completeness) If S and U follow the signature issuing protocol, the signature scheme is complete if, for every constant c > 0, there exists a bound k0 such that S outputs completed andinfoon its proper tapes, andU outputs(info, m, σ)that satisfies
SV(ID,info, m, σ) =accept
with probability at least1−1/kc fork > k0. The probability is taken over the coin flips ofKG, S andU.
We say a message-signature tuple (info, m, σ) is valid with regard toIDif it leads toSV to accept.
Definition 3. (Restrictiveness) Letmbe a message such that the userU knows a representation
(a1,· · ·, ak) of m with respect to a generator-tuple(g1,· · ·, gk) at the start of a blind signature issuing protocol. Let(b1,· · ·, bk) be the representation U knows of the blinded numberm′ of m after the protocol finished. If there exist two functionI1 andI2 such that
I1(a1,· · · , ak) =I2(b1,· · · , bk)
regardless of m and the blinding transformation applied by U, then the protocol is called a re-strictive blind signature protocol. The functionI1 andI2 are called blinding-invariant functions of the protocol with respect to(g1,· · ·, gk).
Definition 4. (Partial Blindness) LetU0 andU1 be two honest users that follow the signature
issuing protocol.
1. sk=SID← KG(Params, ID).
2. (m0, m1,info0,info1)←S∗(1k, ID, sk). 3. Set up the input tapes of U0 andU1 as follows:
– Selectb∈R{0,1} and putmb andm1−b on the private input tapes ofU0 andU1, respec-tively.
– Put info0 and info1 on the public input tapes of U0 and U1, respectively. Also putID on their public input tapes.
– Randomly select the contents of the private random tapes. 4. S∗
engages in the signature issuing protocol with U0 andU1.
5. Let U0 and U1 output (info0, mb, σb)and(info0, m1−b, σ1−b), respectively, on their private
tapes. If info0 6= info1, then give ⊥ to S∗
. If info0 = info1, then provide S∗
with the additional inputs(σb, σ1−b)ordered according to the corresponding messages(mb, m1−b).
6. S∗ outputsb′ ∈ {0,1}. We say thatS∗ wins ifb′=b.
A signature scheme is partially blind if, for every constant c >0, there exists a bound k0 such that for all probabilistic polynomial-time algorithmS∗
,S∗
outputsb′
=bwith probability at most 1/2 + 1/kc for k > k
0. The probability is taken over the flips of KG, U0, U1, andS∗.
Definition 5. (Unforgeability) Suppose the adversaryAcan perform a polynomial bounded
num-ber of the following types of queries (including the hash queries and signing queries) in an adap-tively manner during the signature issuing protocol.
2. For eachinfo,Achooses a messagemand an identityID, the challengerCissues a signature σand send it to A.
3. Aoutputs a tuple(ID,info, m, σ), where(ID, m,info)is never queried before. We say the adversary Awins the game if σis a valid signature for mandinfo.
An ID-based partially blind signature scheme is existential unforgeable against adaptively chosen message and ID attacks if no probabilistic polynomial-time adversary can win the above game with a non-negligible advantage.
4
Building Blocks
In this section, we describe two building blocks of ID-based restrictive partially blind signatures. Firstly, we propose an ID-based restrictive blind signature scheme from bilinear pairings. We then introduce the ID-based partially blind signature scheme proposed by Chowet al.
4.1 ID-based Restrictive Blind Signature Scheme
Brand’s restrictive blind signature scheme is mainly based on Chaum-Pedersen’s knowledge proof of common exponent [11]. Maitland and Boyd [15] presented the following general construction based on Brand’s original scheme. In this paper, we first propose ID-based restrictive blind sig-nature scheme by using the ID-based knowledge proof for the equality of two discrete logarithms from bilinear pairings.
– PKG chooses a random number s∈ Z∗
q as the master-key and set Ppub =sP. The system parameters areparams={G1, G2, e, q, P, Ppub, H, H1}.
– The signer submits his/her identity informationIDto PKG. PKG computesQID=H(ID), and returnsSID=sQID to the user as his/her private key. For the sake of simplicity, define g=e(P, QID), y=e(Ppub, QID).
– Suppose the signed message isM ∈G1. 1
The signer generates a random numberQ∈RG1, and sendsz=e(M, SID), a=e(P, Q), andb=e(M, Q) to the receiver.
– The receiver generates random numbersα, β, u, v∈RZq and computes
M′=αM+βP, A=e(M′, QID), z′=zαyβ, a′=augv, b′=auβbuαAv. The receiver then computesc′
=H1(A, z′, a′, b′) and sendsc=c′/u modq to the signer.
– The signer responds withS=Q+cSID.
– The receiver accepts if and only if e(P, S) = ayc, e(M, S) = bzc. If the receiver accepts, computesS′
=uS+vQID.
(z′
, c′
, S′
) is a valid signature onM′
if the following equation holds:
c′=H1(e(M
′
, QID), z′, e(P, S′)y−c′, e(M′, S′)z′−c′). 1
This is because
A=e(M′
, QID)
e(P, S′) =e(P, uS+vQID) =e(P, S)ue(P, QID)v = (ayc)ugv=augvycu
=a′yc′ e(M′
, S′
) =e(M′
, uS+vQID) =e(M′
, S)ue(M′
, QID)v =e(αM+βP, S)uAv = (bzc)uα(ayc)uβAv =auβbuα(zαyβ)c′
Av
=b′z′c′
Thus, the receiver obtains a signature on the message M′
where M′
= αM +βP and (α, β) are values chosen by the receiver. In addition, in the particular case where β = 0, the above signature scheme achieves the restrictiveness [15]. For designing an electronic cash system, the system parameters consist of another two random generatorsP1andP2. A user chooses a random numberuas his identification information and computesM =uP1+P2. He then with the bank performs the signature issuing protocol to obtain a coin. When spending the coin at a shop, the user must provide a proof that he knows a representation ofM′with respect toP
1 andP2. This restrictsM′ must be the form ofαM. For more details, refer to [5].
4.2 ID-based Partially Blind Signature Scheme
Chowet al first presented the following ID-based partially blind signature scheme [12]. Suppose the signed message ismand the agreed common information is∆.
– PKG chooses a random number s∈ Z∗
q as the master-key and set Ppub =sP. The system parameters areparams={G1, G2, e, q, P, Ppub, H, H2}.
– The signer submits his/her identity informationIDto PKG. PKG computesQID=H(ID), and returnsSID=sQID to the user as his/her private key.
– The signer randomly choosesr∈RZ∗
q, and sends U =rP, Y =rQID to the receiver.
– The receiver generates random numbersα, β, γ∈RZ∗
q and computes Y′
=αY +αβQID−γH(∆), U′
=αU+γPpub, h=α−1
H2(m, Y
′
) +β. The receiver then sendshto the signer.
– The signer responds withS= (r+h)SID+rH(∆).
– The receiver computesS′
=αS.
The resulting signature for the messagemand the agreed information∆is (Y′, U′, S′) ife(S′, P) =
e(Y′+H
2(m, Y′)QID, Ppub)e(H(∆), U′) holds.
For the correctness and security analysis of the scheme, refer to [12].
5
ID-based Restrictive Partially Blind Signatures
5.1 ID-based Restrictive Partially Blind Signature Scheme
– System Parameters Generation PG:Given a security parameterk. The system
– Key Generation KG:On input Paramsand the signer’s identity informationID, outputs the private keySID=sQID=sH(ID) of the signer.
– Signature Generation SG:Let the shared informationinfo =∆, and a messageM from
the receiver. Defineg=e(P, QID), y=e(Ppub, QID). The signature issuing protocol is shown in Fig. 1.
• The signer randomly chooses an element Q∈R G1, and computes z =e(M, SID), a= e(P, Q), andb=e(M, Q). He also randomly chooses a number r∈R Z∗
q, and computes U =rP, andY =rQID. He then sends (z, a, b, U, Y) to the receiver.
• The receiver generates random numbers α, β, u, v, λ, µ, γ ∈R Zq, and computes M′ =
αM +βP,A=e(M′
, QID),z′
=zαyβ,a′
=augv,b′
=auβbuαAv,Y′
=λY +λµQID− γH(∆),U′
=λU+γPpub,c′
=H3(M′, Y′, U′, A, z′, a′, b′),h1=c′/u, andh2=λ−1c′+µ. He then sendsh1, h2to the signer.
• The signer responds withS1=Q+h1SID, S2= (r+h2)SID+rH(∆).
• If the equationse(P, S1) =ayh1 ande(M, S1) =bzh1 hold, the receiver computes S1′ = uS1+vQID, andS2′ =λS2.
The resulting signature for∆and messageM′ is a tuple (Y′, U′, z′, c′, S′
1, S
′
2).
– Signature VerificationSV:Given the messageM′, the shared information∆and the tuple
(Y′, U′, z′, c′, S′
1, S
′
2), the verifier accepts the signature if the following equations hold: c′
=H3(M′, Y′, U′, e(M′, QID), z′, e(P, S1′)y
−c′
, e(M′
, S′
1)z
′−c′
) e(S′2, P) =e(Y
′
+c′QID, Ppub)e(H(∆), U′).
5.2 Security Analysis
Theorem 1. The proposed scheme achieves the property of completeness.
Proof. Note that
A=e(M′, QID) e(P, S′
1) =e(P, S1)ue(P, QID)v = (ayh)ugv=a′yc
′
e(M′
, S′
1) =e(M
′
, S1)ue(M
′
, QID)v=e(αM+βP, S
1)uAv=b
′
z′c′
and
e(S′
2, P) =e(λS2, P)
=e((λr+λh2)SID+λrH(∆), P) =e((λr+c′
+λµ)SID, P)e(H(∆), λrP) =e((λr+c′
+λµ)QID, Ppub)e(H(∆), U′
−γPpub) =e((λr+c′+λµ)QID−γH(∆), Ppub)e(H(∆), U′) =e(Y′
+c′
QID, Ppub)e(H(∆), U′
) Thus, the proposed scheme achieves the property of completeness.
Proof. Similar to [5, 15], the restrictiveness nature of the scheme can be captured by the following assumption: The recipient obtains a signature on a message that can only be the form M′
= αM+βP with α and β randomly chosen by the recipient. In addition, in the particular case whereβ= 0, if there exists a representation (µ1, µ2) ofM with respect to basesP1 andP2such that M = µ1P1+µ2P2 and if there exists a representation (µ′1, µ
′
2) of M
′
with respect to g1 andg2 such thatM′ =µ′1P1+µ′2P2, then the relationI1(µ1, µ2) =µ1/µ2=µ′1/µ
′
2=I2(µ′1, µ
′
2) holds.
Theorem 3. The proposed scheme is partially blind.
Proof. Suppose S∗
is given ⊥ in step 5 of the game in definition 4, S∗
determines b with a probability 1/2 (the same probability as randomly guessingb).
If in step 5, the shared information ∆0 = ∆1. Let (Y′, U′, z′, c′, S1′, S
′
2, M
′) be one of the
signatures subsequently given to S∗. Let (Y, U, z, a, b, h
1, h2, S1, S2, M) be data appearing in the view of S∗
during one of the executions of the signature issuing protocol at step 4. It is sufficient to show that there exists a tuple of random blinding factors (α, β, u, v, λ, µ, γ) that maps (Y, U, z, a, b, h1, h2, S1, S2, M) to (Y′, U′, z′, c′, S1′, S
′
2, M
′
). LetS′
2=λS2,U′=λU+γPpubandY′ =λY+λµQID−γH(∆). The unique blinding factors (λ, µ, γ) are always exist.2
Letu=c′/h
1, we know there exists a unique blinding factorv which satisfies the equation S′
1=uS1+vQID. Determine a representation M′ =αM+βP, which is known to exist. Note that z′ = As and z = e(M, QID)s have been established by the interactive proof and the fact that the signature is valid. Therefore, z′ = e(M′, QID)s = zαyβ. Since e(P, S
1) = ayh1 and e(M, S1) =bzh1, we havea′=e(P, S1′)y
−c′
=augv andb′
=e(M′
, S′
1)(z
′
)−c′
=auβbuαAv. Thus, the blinding factors always exist which lead to the same relation defined in the signa-ture issuing protocol. Therefore, even an infinitely powerfulS∗ succeeds in determining b with
probability 1/2.
Theorem 4. The proposed scheme is secure against on the existential adaptively chosen message
and ID attacks under the assumption of CDHP inG1is intractable and the random oracle model.
Proof. The proof follows the security argument given by Chowet al [12].
5.3 Application for Electronic Cash System
We follow Brand’s construction to describe an electronic cash system using the proposed ID-based restrictive partially blind signature scheme. We denote the bank byB, a generic account-holder byU, and a generic shop byS.
The setup of the system. Let (P, P1, P2) be a random generator tuple of G1. Suppose PKG
chooses a random numbers∈Z∗
q as the master-key and setsPpub =sP. Bsubmits his identity informationIDto PKG and PKG computes the private keySIDforB. Define three cryptographic secure hash functionsH :{0,1}∗
→G,H0:G 3 1×G
5
2→ZqandH1:G×G×IDS×Date/T ime→ Zq. For the sake of simplicity, define g = e(P, QID), g1 = e(P1, QID), g2 = e(P2, QID), y = e(Ppub, QID).
2
Opening an account. WhenU opens an account atB,BrequestsU to identity himself.U then generates at random a numberu1 ∈RZq, and computes the unique account numberI =u1P1. IfM =u1P1+P2 6=O, then U transmitsI to B, and keepsu1 secret.B stores the identifying information of U in the account database, together with I. The information I enables B to uniquely identifyU in case he double-spends.
The withdrawal protocol. WhenU wants to withdraw a coin, he first proves ownership of his
account and negotiates a common information∆. To this end, the following withdrawal protocol betweenU andBis performed:
Step 1. B randomly chooses an elementQ∈R G1, and computesz =e(M, SID),a=e(P, Q),
and b =e(M, Q). He also randomly chooses a number r ∈R Z∗
q, and computes U = rP, and Y =rQID. He then sends (z, a, b, U, Y) toU.
Step 2. U generates random numbers α, x1, x2, u, v, λ, µ, γ ∈R Zq, and computes M′ = αM,
A =e(M′, QID), B =gx1
1 g x2
2 , z
′ = zα, a′ = augv, b′ = buαAv, Y′ = λY +λµQID−γH(∆),
U′ =λU +γPpub, c′ =H
0(M′, Y′, U′, A, B, z′, a′, b′), h1 =c′/u, andh2 =λ− 1
c′+µ. He then
sendsh1, h2 toB.
Step 3.Bresponds withS1=Q+h1SID, S2= (r+h2)SID+rH(∆).
Step 4. If the equationse(P, S1) =ayh1ande(M, S1) =bzh1hold,UcomputesS1′ =uS1+vQID,
andS′
2=αS2.
We sayM′, B, ∆,(Y′, U′, z′, c′, S′
1, S
′
2) is a valid coin of whichU knows a representation.
The payment protocol. When U wants to spend his coin at S, the following protocol is
per-formed:
Step 1.U sendsM′, B, ∆,(Y′, U′, z′, c′, S′
1, S
′
2) toS.
Step 2. LetA=e(M′, QID), and ifA6=O,Sthen sendsUa challenged=H
1(A, B, IDS, date/time),
whereIDS can be the account number ofS,date/timeis the number representing date and time
of the transaction.
Step 3.U computes the responsesr1=d(u1α) +x1 andr2=dα+x2and sends them toS.
S accepts the coin if and only if (Y′
, U′
, z′
, c′
, S′
1, S
′
2) is a valid signature on (M
′
, B, ∆), and gr1
1 g r2 2 =A
dB.
The deposit protocol. After some delay in time,S sends Bthe payment transcript, consisting
ofM′, B, ∆,(Y′, U′, z′, c′, S′
1, S
′
2),(r1, r2) and date/time of transaction.Bfirst checks the validity of the coin. If the verifications hold, he then searches its deposit database to find out whether M′
has been stored before. If M′
has not stored before, B stores M′
, ∆, date/time,(r1, r2) in its database; Else,Bcan detect double-depositing (the same challenge)or double-spending (the different challenge). The information of (r1−r1′)/(r2−r′2) serves as a proof to trace the dishonest double-spender.
6
Conclusions
Furthermore, we give a formal proof of security for the proposed schemes in the random oracle model. As an application, we use the proposed signature scheme to build an untraceable off-line electronic cash system followed Brand’s construction.
References
1. M. Abe and E. Fujisaki,How to date blind signatures, Advances in Cryptology-Asiacrypt 1996, LNCS 1163, pp. 244-251, Springer-Verlag, 1996.
2. M. Abe and T. Okamoto,Provably secure partially blind signature, Advances in Cryptology-Crypto 2000, LNCS 1880, pp. 271-286, Springer-Verlag, 2000.
3. D. Boneh and M. Franklin,Identity-based encryption from the Weil pairings, Advances in Cryptology-Crypto 2001, LNCS 2139, pp. 213-229, Springer-Verlag, 2001.
4. D. Boneh, B. Lynn, and H. Shacham, Short signatures from the Weil pairings, Advances in Cryptology-Asiacrypt 2001, LNCS 2248, pp. 514-532, Springer-Verlag, 2001.
5. S. Brands,Untraceable Off-line cash in wallet with observers, Advances in Cryptology-Crypto 1993, LNCS 773, pp. 302-318, Springer-Verlag, 1993.
6. S. Brands,An efficient off-line electronic cash system based on the representation problem, Technical Report CS-R9323, Centrum voor Wiskunde en Informatica (CWI), 1993.
7. J. Baek and Y. Zheng, Identity-based threshold decryption, PKC 2004, LNCS 2947, pp. 248-261, Springer-Verlag, 2004.
8. J. Baek and Y. Zheng,Identity-based threshold signature scheme from the bilinear pairings, IAS’04 track of ITCC’04, pp. 124-128, IEEE Computer Society, 2004.
9. J. Cha and J. Cheon,An identity-based signature from gap Diffie-Hellman groups, PKC 2003, LNCS 2567, pp. 18-30, Springer-Verlag, 2003.
10. D. Chaum,Blind signature for untraceable payments, Advances in Cryptology-Eurocrypt 82, Plenum Press, pp. 199-203, 1982.
11. D. Chaum and T.P. Pedersen,Wallet databases with observers, Advances in Cryptology-Crypto 1992, LNCS 740, pp. 89-105, Springer-Verlag, 1993.
12. S.M. Chow, C.K. Hui, S.M. Yiu and K.P. Chow, Two improved partially blind signature schemes from bilinear pairings, ACISP 2005, LNCS 3574, pp. 316-328, Springer-Verlag, 2005. Full version can be found at: http://eprint.iacr.org/2004/108.
13. F. Hess,Efficient identity based signature schemes based on pairingss, SAC 2002, LNCS 2595, pp. 310-324, Springer-Verlag, 2002.
14. A. Juels, M. Luby, and R. Ostrovsky,Security of blind signatures, Advances in Cryptology-Crypto 1997, LNCS 1294, pp. 150-164, Springer-Verlag, 1997.
15. G. Maitland and C. Boyd,A provably secure restrictive partially blind signature scheme, PKC 2002, LNCS 2274, pp. 99-114. Springer-Verlag, 2002.
16. D. Pointcheval,Strengthened security for blind signatures, Advances in Cryptology-Eurocrypt 1998, LNCS 1403, pp. 391-403, Springer-Verlag, 1998.
17. D. Pointcheval and J. Stern, Provably secure blind signature schemes, Advances in Cryptology-Asiacrypt 1996, LNCS 1163, pp. 252-265, Springer-Verlag, 1996.
18. D. Pointcheval and J. Stern,Security arguments for digital signatures and blind signatures, Journal of Cryptography, Vol 13, No.3, pp. 361-396, Springer-Verlag, 2000.
19. A. Shamir,Identity-based cryptosystems and signature schemes, Advances in Cryptology-Crypto 84, LNCS 196, pp. 47-53, Springer-Verlag, 1984.
Signer Receiver
∆
M
Q∈RG1
Compute z=e(M, SID)
a=e(P, Q)
b=e(M, Q) r∈RZq∗
Compute U =rP
Y =rQID z, a, b, U, Y
- α, β, u, v∈RZq
Compute
M′=αM+βP
A=e(M′, QID) z′=zαyβ
a′=augv b′=auβbuαAv
λ, µ, γ∈RZq
Compute Y′=λY +λµQ
ID−γH(∆) U′=λU+γP
pub
c′=H3(M′, Y′, U′, A, z′, a′, b′)
h1=c′/u
h2=λ−
1 c′+µ h1, h2
Compute S1=Q+h1SID
S2= (r+h2)SID+rH(∆)
S1, S2
- Check
e(P, S1)=? ayh1 e(M, S1)=? bzh1
Compute S′
1=uS1+vQID S′
2=λS2
